PoC Released For Critical Zero-Click Windows Vulnerability

Microsoft’s wide reach as a target prompted attackers to carry out intensive studies on the vulnerabilities and mitigation tools of their products and protocols. 

This resulted in a new remote code execution (RCE) WinAPI CreateUri function vulnerability, introduced as part of the CVE-2023-23397 patch.

Unlike the previous two-vulnerability RCE chain, this flaw enables zero-click RCE exploitation.

Cybersecurity researchers at Akamai recently unveiled that PoC was released for critical zero-click Windows vulnerability.

In addition to Outlook, File Explorer may trigger that flaw, increasing the attack surface.

This finding demonstrates the need for ongoing security evaluations, even in fixed components, to effectively recognize and handle emerging dangers.

Zero-Click Windows Vulnerability

Microsoft’s March 2023 Patch Tuesday addressed the critical CVE-2023-23397 Outlook vulnerability, exploited in the wild by the Russian state-sponsored threat actor “Forest Blizzard.”

The flaw allowed remote, zero-click NTLM credential theft for relay attacks. 

After patching, researchers discovered two bypasses and a parsing vulnerability that, when chained, enabled a full zero-click remote code execution (RCE) primitive against the Outlook client. 

This highlights the importance of comprehensive vulnerability analysis, as patched components can still hold exploitable flaws requiring additional mitigations, especially against determined, state-backed threat actors continuously probing for new attack vectors.

The patch for Outlook’s CVE-2023-23397 introduced a call to MapUrlToZone that validated the PidLidReminderFileParameter URL, which helps in mitigating the initial flaw but creates a new attack surface. 

Also, CreateUri is called from within MapUrlToZone and enables attackers to control the parsed path. CrackUrlFile is called by CreateUri when it handles file paths, eventually leading to exploitation.

It should also be noted that while addressing some vulnerability at one point, this patch at the same time opened another door for potential abuse due to failure in fully validating untrusted inputs across all code paths.

These findings demonstrate how crucial comprehensive security reviews during patch development are to prevent new vulnerabilities from being introduced into systems.

At the beginning of CrackUrlFile, it converts a URL into a Windows path using PathCreateFromUrlW.

It marks the buffer as dynamically allocated, and for the Windows paths, it just works without freeing the pointer. The buffer may be advanced during parsing to handle local device paths and remove duplicated backslashes.

To trigger this vulnerability, use a file scheme URL with a UNC path and mark this path as a drive path.

In the fixed code, RtlMoveMemory now copies bytes from the path component. Here’s the full path to trigger the vulnerability:-

file://./UNC/C:/Akamai.com/file.wav

In this study, the Akamai researchers explored a method of making Windows Explorer vulnerable through a shortcut (.lnk file) to an insecure path.

When the victim views the directory containing the shortcut, Explorer crashes immediately.

These findings highlight how crucial it is to analyze patches for any possible bypasses, as there may also be other MapUrlToZone bypasses.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.